Hacking

A vulnerable honeypot exposed online can be compromised in 24 hours

Researchers deployed multiple instances of vulnerable systems and found that 80% of the 320 honeypots were compromised within 24 hours.

Researchers from Palo Alto Networks deployed a honeypot infrastructure of 320 nodes to analyze how three actors target exposed services in public clouds.

The company set up the honeypots between July 2021 and August 2021 to analyze the time, frequency and origins of the attacks targeting them.

The instances included systems exposing remote desktop protocol (RDP), secure shell protocol (SSH), server message block (SMB) and Postgres database. The experts discovered that 80% of the 320 honeypots were compromised within 24 hours and all of the honeypots were compromised within a week. 

Below are some findings shared by the experts:

  • the most attacked application was SSH.
  • The most attacked SSH honeypot was compromised 169 times in a single day.
  • each SSH honeypot was compromised on average 26 times per day.
  • experts observed that one threat actor compromised 96% of the 80 Postgres honeypots that the researchers deployed, and all the instances were hacked within 30 seconds.
  • 85% of the attacker IPs were observed only on a single day demonstrating that Layer 3 IP-based firewalls are not effective against these attacks because threat actors rotate same IPs to launch attacks.

“Four types of applications, SSH, Samba, Postgres and RDP, were evenly deployed across the honeypot infrastructure. We intentionally configured a few accounts with weak credentials such as admin:admin, guest:guest, administrator:password. These accounts grant limited access to the application in a sandboxed environment. A honeypot will be reset and redeployed when a compromising event is detected, i.e., when a threat actor successfully authenticates via one of the credentials and gains access to the application.” reads the post published by Palo Alto Networks. “To analyze the effectiveness of blocking network scanning traffic, we blocked a list of known scanner IPs on a subset of honeypots.”

The researchers were updating the firewall policies once a day based on the observed network scanning traffic to prevent reconnaissance and attacks conducted with scanners. Each firewall policy might block 600-3,000 known scanner IP addresses.

Every time one of the virtual machines composing the honeypot infrastructure became unresponsive, the controller redeployed the virtual machine and application.

The experts analyzed the time-to-first-compromise (the time before the system was compromised) for the different services. The time-to-first-compromise for Samba installs was 2485 minutes, 667 minutes for RDP, 511 for Postgres, and 184 minutes for SSHD.

Palo Alto’s study also focuses on tThe mean time-between-compromise, that is the average time between two consecutive compromising events of a targeted application.

“A vulnerable service on the internet is usually compromised multiple times by multiple different attackers. To compete for the victim’s resources, attackers commonly attempt to remove malware or backdoors left by other cybercriminal groups (e.g., RockeTeamTNT).” continues the report. “Mean time-between-compromise resembles an attacker’s time on a compromised system before the next attacker shows up. Similar to time-to-first-compromise, the mean time-between-compromise of an application is also inversely proportional to the number of attackers targeting the application.”

Researchers also analyzed the geographic distribution of the attacks, systems deployed in the APAC region were most targeted from threat actors.

“The problem of insecurely exposed services is not new to public cloud, but the agility of cloud infrastructure management makes the creation and replication of such misconfigurations faster. The research highlights the risk and severity of such misconfigurations. When a vulnerable service is exposed to the internet, opportunistic attackers can find and attack it in just a few minutes. As most of these internet-facing services are connected to some other cloud workloads, any breached service can potentially lead to the compromise of the entire cloud environment.” concludes the report.

Below is the list of recommendations to protect cloud services published by Palo Alto Networks:

  • Create a guardrail to prevent privileged ports from being open.
  • Create audit rules to monitor all the open ports and exposed services.
  • Create automated response and remediation rules to fix misconfigurations automatically.
  • Deploy next-generation firewalls in front of the applications, such as VM-Series or WAF to block malicious traffic.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, honeypot)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

6 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

13 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.